HIPAA Update

Eight tips to polish your hospital’s patient breach response

Dom Nicastro — Thu, 19 Nov 2009 14:34:35 +0000

Editor’s note: This is the third in a three-part series about breach notifications. Part one focused on how to prevent breaches. Part two tackled how to handle breaches. This installment offers some final tips if a breach occurs. focused on how to prevent breaches. Now that you’ve followed protocol—the government’s and your facility’s—consider these final checklist [...]

Four steps to manage patient information breaches

Dom Nicastro — Wed, 18 Nov 2009 14:17:25 +0000

Editor’s note: This is the second in a three-part series about breach notifications. This installment focuses on handling breaches. Your facility has a breach of unsecure PHI. What do you do? In addition to following requirements spelled out in HHS’ interim final rule on breach notification, consider these tips for handling the breach: Initiate an investigation immediately. The [...]

Five ways to prevent patient information breaches

Dom Nicastro — Tue, 17 Nov 2009 05:00:47 +0000

Editor’s note: This is the first in a three-part series about breach notifications. The first installment focuses on preventing breaches. The U.S. Department of Health and Human Services (HHS) on August 19 released its interim final rule on breach notification of unsecure protected health information (PHI) and the acceptable methods for covered entities (CE) and business [...]

Check out this major breach

Dom Nicastro — Mon, 16 Nov 2009 05:00:06 +0000

If you think your facility is safe because of strong breach prevention programs, think again. It can happen — anywhere, from one simple mistake.

Q&A: How CMS responds to HIPAA complaints

Dom Nicastro — Fri, 13 Nov 2009 05:00:00 +0000

Q: How does CMS handle a Health Insurance Portability and Accountability Act (HIPAA) complaint once received?

A: Upon receipt of a complaint, CMS will notify the filed against entity of the complaint, and provide them with an opportunity to demonstrate compliance, or to submit a corrective action plan. CMS has the discretion to conduct compliance reviews or on-site evaluations of covered entities' procedures to verify that they are compliant with the standard transactions or use the national identifiers. CMS also has the authority to impose financial penalties on any entity that is not compliant and has failed to correct their systems.

This Q&A is adapted from the CMS FAQ website page. To view this and other FAQs click here.

Burning medical records to CD

kmeyer — Thu, 12 Nov 2009 04:00:49 +0000

I was just informed from our compliance manager that in February of 2010 – due to HIPAA changes – that the medical records need to be burned to a CD before being sent out. Is this a true statement? Karen Meyer Health Information Services Supervisor Summit Orthopedics Woodbury, MN

HIPAA Q&A: Red Flags Rule

Dom Nicastro — Wed, 11 Nov 2009 04:00:00 +0000

Q. How does the HIPAA privacy rule coincide with the new Red Flags Rule, which requires providers with covered accounts to contact law enforcement if the provider suspects identity theft? May providers release PHI or discuss the patient’s case with law enforcement officials?

A. The Red Flags Rule does not require you to notify law enforcement officials of suspected identify theft. Instead, the rule permits you to do so. Most states' identity theft protection laws allow this as well. Informing law enforcement officials about a PHI breach and its nature does not violate HIPAA. Patient authorization is necessary before you disclose any specific identifiable information to law enforcement officials. Absent specific authorization, release of PHI to law enforcement would violate the HIPAA privacy rule.

Advising patients to contact law enforcement is the best course of action. If warranted, notify law enforcement of the breach and provide the perpetrator’s name if known, but don’t provide a list of affected patients.

Editor’s note: Chris Apgar, CISSP, answered this question. This is not legal advice. Consult your attorney regarding legal matters.

Calling all ‘meaningful use’ experts

Dom Nicastro — Tue, 10 Nov 2009 16:40:20 +0000

Anyone out there interested in working with us on an audio conference in early February, based on the interim final rule on the definition of meaningful use of EHRs?

Guidance on HIPAA implications of H1N1

fruelas — Tue, 10 Nov 2009 04:00:00 +0000

Following the recent declaration for H1N1 flu as a national health emergency, the government posted a number of documents that have HIPAA implications, says Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal, HIPAA Boot Camp, in Casa Grande, AZ.

Ruelas points to this document on the CDC Web site that summarizes other related documents online.

“Many of these documents help clear up questions on whether the subsequent 1135 waivers suspend HIPAA, the time frame related to these waivers, and those provisions of the HIPAA privacy rule where the Secretary of HHS may waive sanctions and penalties,” Ruelas says.

New HIPAA whitepaper!

Dom Nicastro — Tue, 03 Nov 2009 19:56:03 +0000

Check out our new white HIPAA whitepaper, “HHS breach notification interim final rule: Form your incident response team, set policies and procedures to comply with new federal HIPAA Regulations. November, 2009.” Download a free copy of the whitepaper.